Microsoft Corp. Buys Israeli Security Critic Aorato

Microsoft is buying an Israel-based company whose specialty in pointing out the security flaws in its premier products. On Thursday Microsoft spokespeople announced that it was buying Israeli cyber-security firm Aorato, confirming rumors that have been circulating for several weeks. Vice-President Takeshi Numoto wrote in a blog post that the company was “making this acquisition to give customers a new level of protection against threats through better visibility into their identity infrastructure. With Aorato we will accelerate our ability to give customers powerful identity and access solutions that span on-premises and the cloud, which is central to our overall hybrid cloud strategy.”

Aorato has long been on the radar of Microsoft – for discovering and publicizing security problems in AD, the premier identity server in use today. Among those problems was one in which authentication of users and computers in a Windows domain-based network could enable an attacker to change a user’s password, despite identity theft measures.

Considering the fact that 95% of all Fortune 1000 companies have an Active Directory deployment, “we consider this vulnerability highly sensitive,” said Aorato’s vice president of research, Tal Be’ery. “And even worse, the vulnerability was put there by design.” Stopping short of using the term “irresponsible,” Be’ery thinks the company could do better. “With great power comes great responsibility,” he said. “If it was a smaller company I would cut them some slack, but when you power 95% of the enterprise infrastructure, you have to be much more careful.”

AD assigns and enforces security policies for all computers, folders, files, objects, and users on a network, and being able to access it gives attackers, in essence, free reign to steal data at will — or wreak havoc on a system, trashing the relationships between users and resources. That kind of attack could put a company’s computer out of business, for hours, if not days.

The exploit is based on the fact that an older user authentication method, called NTLM, is activated by default in AD. Attackers can use NTLM to obtain encrypted login credentials — called hashes — for users in order to access AD accounts, in what is called a “pass-the-hash” (PtH ticket) attack. The hashes can be captured using off-the-shelf hacking tools. According to Be’ery, “this activity is not logged in system and 3rd party logs — even those that specifically log NTLM activity. So there are no alerts or other forensic data to ever indicate that an attack took place.”

PtH attacks were first documented in 1997, but the emergence of automated hacking tools has made the risk to companies using AD all the greater. “Common tools such as WCE and Metasploit have support to carry out PtH attacks in an automated manner,” said Be’ery.

PtH, in fact, was a key component in a major attack hack on US retailer Target last December, in which the credit card information of millions of customers was compromised. And unfortunately, turning off the more risky NTLM authentication system and using the more secure Kerberos one (used by newer versions of AD) is not an option for companies that need to integrate older systems and networks into their corporate structure, said Be’ery. “We’ve discussed this with many customers, and relying only on the newer authentication procedures just isn’t practical.”

When it was discovered, Aorato informed Microsoft of the problem, to which the company responded that it wasn’t news to MS. Indeed, MS had already published details of the exploit and how to avoid it. But what really bothered Aorato, the company said, is that the AD vulnerability is not an exception or security hole — it was put there on purpose.

“Microsoft recognized our findings to be valid but confirmed that this is a ‘limitation’ that cannot be fixed as it stems from the design of the authentication protocols,” Aorato said in a blog post. “Additionally, since these protocols’ specifications are publicly available, Microsoft considers this ‘limitation’ to be ‘well known.’ We consider the fact that attackers can change the victim’s password by only knowing the NTLM hash to be a flaw. If this flaw is by design, this simply makes it a ‘by-design’ flaw.”

Aorato’s business is built around making AD more secure, said Be’ery. “We have developed tools to determine if this kind of attack, as well as others, have been carried out on AD, allowing us to help customers mitigate damage. To do that, we study closely the interactivity of elements in a network, including users, devices, servers, etc. Our tools can detect the very subtle changes that you would never find in log files.”

Jewish Techs: The Jewish Technology Blog

This blog looks at how modern technology affects Jewish life, particularly the impact of the Internet on Jews across the globe. The Internet has made the Jewish community seem smaller. The Jewish Techs blog, written by blogger Rabbi Jason Miller (The Techie Rabbi), explores the places where Jewish culture, education and faith intersect with technology. Of course, like anything, Jews will continue to ask if technology is good or bad for the Jews – the age old question of our people. Good or bad, it is undisputed that technology has changed Jewish life. If you’re Jewish or interested in technology or both… you’ll enjoy the conversation. Thanks for reading the Jewish Techs blog.

The Techie Rabbi – Rabbi Jason Miller

Jason Miller is NOT your typical rabbi. Known as the Techie Rabbi, he launched Access Computer Technology in 2010 and has grown it into a full-scale technology firm that provides social media marketing consulting and web design in addition to IT support. Ordained at the Jewish Theological Seminary a decade ago, Rabbi Jason has made a name for himself as a popular blogger, social media expert, educator and entrepreneur. Based in Detroit, his congregation includes more than a million people who read his blog and follow him in Cyberspace. He began the Jewish Techs blog in January 2010 as the New York Jewish Week's technology expert.

An entrepreneurial rabbi and an alum of Clal's "Rabbi Without Borders" fellowship, Jason Miller is a rabbi and thought leader whose personal blog has been viewed by millions. The Detroit Free Press called him “the most tech-savvy Jewish leader" and the Huffington Post ranked him among the top Jewish Twitter users in the world. A social media expert, Rabbi Jason is a popular speaker and writer on technology and its effect on the Jewish world. He writes the "Jewish Techs" blog for The Jewish Week and the monthly "Jews in the Digital Age" column for the Detroit Jewish News.

Miller won the 2012 Young Entrepreneur of the Year Award from the West Bloomfield Chamber of Commerce and is one of the winners of a Jewish Influencer award from the National Jewish Outreach Program.